DevSecOps test

Author: Taofeeqib

.github/workflows/devsecops-pipeline.yml

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Function to create placeholder SARIF file for dependency check
+function create_dependency_check_placeholder() {
+  echo '{
+    "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    "version": "2.1.0",
+    "runs": [
+      {
+        "tool": {
+          "driver": {
+            "name": "OWASP Dependency-Check",
+            "version": "placeholder",
+            "rules": []
+          }
+        },
+        "results": []
+      }
+    ]
+  }' > ./docs/reports/dependency-check-placeholder.sarif
+}
+
+echo "Checking if SARIF files exist in docs/reports directory"
+if [ -d "./docs/reports" ]; then
+  ls -la ./docs/reports/
+  echo "Found files in docs/reports directory"
+  sarifCount=$(find ./docs/reports -name "*.sarif" | wc -l)
+  
+  if [ "$sarifCount" -gt 0 ]; then
+    find ./docs/reports -name "*.sarif" | while read file; do
+      echo "Found SARIF file: $file"
+      echo "File contents (first 20 lines):"
+      head -n 20 "$file"
+    done
+  else
+    echo "No SARIF files found in docs/reports directory. Creating placeholder."
+    create_dependency_check_placeholder
+  fi
+else
+  echo "Reports directory does not exist!"
+  mkdir -p ./docs/reports
+  create_dependency_check_placeholder
+fi

.github/workflows/scripts/check-sca-results.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Configure git
+git config --local user.email "github-actions[bot]@users.noreply.github.com"
+git config --local user.name "github-actions[bot]"
+
+# Set merge strategy to avoid conflicts prompt
+git config pull.rebase false
+
+# Fetch latest changes from remote
+echo "Fetching latest changes from remote..."
+git fetch origin ${GITHUB_REF_NAME}
+
+# Check for changes in remote and merge if needed
+echo "Checking for updates from remote..."
+git pull origin ${GITHUB_REF_NAME} --strategy-option theirs || echo "Failed to pull, proceeding anyway"
+
+# Ensure docs/reports directory exists
+mkdir -p ./docs/reports/
+
+# Stage the changes
+echo "Adding report files to git..."
+git add ./docs/reports/
+
+# Verify changes were staged
+git status
+
+# Check if there are changes to commit
+if git diff --staged --quiet; then
+  echo "No changes to commit"
+else
+  # Commit the changes
+  echo "Committing report files..."
+  git commit -m "Add security scan reports [skip ci]"
+  
+  # Handle potential conflicts during push
+  echo "Pushing changes to the repository..."
+  git push origin ${GITHUB_REF_NAME} || {
+    # If push failed, try pull and merge again
+    echo "Push failed, attempting to merge remote changes and retry..."
+    git pull origin ${GITHUB_REF_NAME} --strategy-option theirs
+    # Try push again
+    git push origin ${GITHUB_REF_NAME} || echo "Failed to push after merge attempt"
+  }
+  
+  echo "Reports have been committed and pushed to the repository."
+  echo "View them at: https://github.com/${GITHUB_REPOSITORY}/tree/${GITHUB_REF_NAME}/docs/reports"
+fi

.github/workflows/scripts/commit-reports.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+mkdir -p ./docs/reports
+
+echo "Copying all artifacts to docs/reports directory..."
+
+# TruffleHog results
+if [ -d "./artifacts/trufflehog-results" ]; then
+  echo "Found TruffleHog results"
+  cp ./artifacts/trufflehog-results/* ./docs/reports/ || echo "No TruffleHog files to copy"
+else
+  echo "No TruffleHog results directory found"
+fi
+
+# CodeQL results
+if [ -d "./artifacts/codeql-results" ]; then
+  echo "Found CodeQL results"
+  cp ./artifacts/codeql-results/* ./docs/reports/ || echo "No CodeQL files to copy"
+else
+  echo "No CodeQL results directory found"
+fi
+
+# SCA results
+if [ -d "./artifacts/sca-results" ]; then
+  echo "Found SCA results"
+  cp ./artifacts/sca-results/* ./docs/reports/ || echo "No SCA files to copy"
+else
+  echo "No SCA results directory found"
+fi
+
+# SBOM results
+if [ -d "./artifacts/angular-xss-sbom" ]; then
+  echo "Found SBOM results"
+  cp ./artifacts/angular-xss-sbom/* ./docs/reports/ || echo "No SBOM files to copy"
+else
+  echo "No SBOM results directory found"
+fi
+
+# ZAP results
+if [ -d "./artifacts/zap-reports" ]; then
+  echo "Found ZAP results"
+  cp ./artifacts/zap-reports/* ./docs/reports/ || echo "No ZAP files to copy"
+else
+  echo "No ZAP results directory found"
+fi
+
+# Verify copied files
+echo "Files in docs/reports directory after copying artifacts:"
+ls -la ./docs/reports/
+
+# Run verification script to check for required reports
+echo "Running verification script..."
+chmod +x ./verify-reports.sh
+./verify-reports.sh

.github/workflows/scripts/copy-artifacts.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Function to create ZAP XML placeholder
+function create_zap_xml_placeholder() {
+  echo '<?xml version="1.0" encoding="UTF-8"?>' > ./docs/reports/zap-baseline-report.xml
+  echo '<OWASPZAPReport version="2.11.0" generated="2025-09-07T12:00:00">' >> ./docs/reports/zap-baseline-report.xml
+  echo '  <site name="http://localhost:4200">' >> ./docs/reports/zap-baseline-report.xml
+  echo '    <alerts></alerts>' >> ./docs/reports/zap-baseline-report.xml
+  echo '  </site>' >> ./docs/reports/zap-baseline-report.xml
+  echo '</OWASPZAPReport>' >> ./docs/reports/zap-baseline-report.xml
+}
+
+# Function to create ZAP JSON placeholder
+function create_zap_json_placeholder() {
+  echo '{' > ./docs/reports/zap-baseline-report.json
+  echo '  "site": "http://localhost:4200",' >> ./docs/reports/zap-baseline-report.json
+  echo '  "generated": "2025-09-07T12:00:00",' >> ./docs/reports/zap-baseline-report.json
+  echo '  "version": "2.11.0",' >> ./docs/reports/zap-baseline-report.json
+  echo '  "alerts": []' >> ./docs/reports/zap-baseline-report.json
+  echo '}' >> ./docs/reports/zap-baseline-report.json
+}
+
+echo "Looking for ZAP Baseline Scan report files..."
+
+# Check in /tmp/zap-output where we directed ZAP to write reports
+echo "Checking in /tmp/zap-output:"
+ls -la /tmp/zap-output || echo "Directory not found"
+
+# Try to copy from our specific ZAP output directory first
+if [ -d "/tmp/zap-output" ]; then
+  echo "Copying reports from /tmp/zap-output:"
+  cp -v /tmp/zap-output/*.* ./docs/reports/ 2>/dev/null || echo "No files to copy from /tmp/zap-output"
+fi
+
+# Look for baseline scan reports only
+for report in \
+  ./zap-baseline-report.xml \
+  ./zap-baseline-report.json \
+  ./report_json.json \
+  ./report_xml.xml \
+  ./report_html.html \
+  ./report_md.md \
+  /tmp/zap-output/zap-baseline-report.xml \
+  /tmp/zap-output/zap-baseline-report.json \
+  /tmp/zap-baseline-report.xml \
+  /tmp/zap-baseline-report.json \
+  /zap/wrk/zap-baseline-report.xml \
+  /zap/wrk/zap-baseline-report.json; do
+  if [ -f "$report" ]; then
+    echo "Found report: $report"
+    cp -v "$report" ./docs/reports/
+  fi
+done
+
+# If no reports were found, create placeholders
+if [ ! -f "./docs/reports/zap-baseline-report.xml" ] && [ ! -f "./docs/reports/zap-baseline-report.json" ]; then
+  echo "Creating placeholder for ZAP baseline reports (XML and JSON)"
+  create_zap_xml_placeholder
+  create_zap_json_placeholder
+fi
+
+# Check if any reports were copied or created
+echo "Contents of docs/reports directory:"
+ls -la ./docs/reports/

.github/workflows/scripts/copy-zap-reports.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Function to create placeholder SARIF file
+function create_dependency_check_placeholder() {
+  echo '{
+    "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    "version": "2.1.0",
+    "runs": [
+      {
+        "tool": {
+          "driver": {
+            "name": "OWASP Dependency-Check",
+            "version": "placeholder",
+            "rules": []
+          }
+        },
+        "results": []
+      }
+    ]
+  }' > ./docs/reports/dependency-check-placeholder.sarif
+}
+
+# Find all SARIF files
+echo "Finding SARIF files in ./docs/reports directory"
+find ./docs/reports -name "*.sarif" -type f
+
+# Check if we have any SARIF files
+SARIF_COUNT=$(find ./docs/reports -name "*.sarif" -type f | wc -l)
+
+if [ "$SARIF_COUNT" -eq 0 ]; then
+  echo "No SARIF files found, creating placeholder"
+  create_dependency_check_placeholder
+  
+  echo "primary_sarif=./docs/reports/dependency-check-placeholder.sarif" >> $GITHUB_OUTPUT
+else
+  # Get the first SARIF file for primary upload
+  PRIMARY_SARIF=$(find ./docs/reports -name "*.sarif" -type f | head -1)
+  echo "Found primary SARIF file: $PRIMARY_SARIF"
+  echo "primary_sarif=$PRIMARY_SARIF" >> $GITHUB_OUTPUT
+fi

.github/workflows/scripts/find-sca-sarif.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# Generate TruffleHog report in docs/reports
+echo "Running TruffleHog scan manually to save report"
+docker run --rm -v $(pwd):/pwd trufflesecurity/trufflehog:latest github --repo file:///pwd --json > ./docs/reports/trufflehog-results.json || true

.github/workflows/scripts/generate-trufflehog-report.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Function to create placeholder SARIF file
+function create_placeholder_sarif() {
+  echo '{
+    "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    "version": "2.1.0",
+    "runs": [
+      {
+        "tool": {
+          "driver": {
+            "name": "CodeQL",
+            "version": "placeholder",
+            "rules": []
+          }
+        },
+        "results": []
+      }
+    ]
+  }' > ./docs/reports/codeql-results.sarif
+}
+
+echo "Listing CodeQL SARIF files in ./docs/reports:"
+find ./docs/reports -type f -name "*.sarif" | sort
+
+# Check if any SARIF files were generated
+if [ -n "$(find ./docs/reports -type f -name '*.sarif')" ]; then
+  # Create a consolidated sarif file for DefectDojo
+  echo "Creating consolidated SARIF file for DefectDojo"
+  
+  # Find the first SARIF file and make a copy for DefectDojo
+  FIRST_FILE=$(find ./docs/reports -type f -name "*.sarif" | head -1)
+  echo "Using file: $FIRST_FILE for consolidated results"
+  
+  # Make sure the file exists and is not a directory
+  if [ -f "$FIRST_FILE" ]; then
+    cp "$FIRST_FILE" ./docs/reports/codeql-results.sarif
+    
+    # Display info about the consolidated file
+    echo "Consolidated SARIF file created at ./docs/reports/codeql-results.sarif"
+    ls -la ./docs/reports/codeql-results.sarif
+    echo "First 20 lines of consolidated SARIF file:"
+    head -n 20 ./docs/reports/codeql-results.sarif
+  else
+    echo "Warning: Selected file is not a regular file. Creating placeholder instead."
+    create_placeholder_sarif
+  fi
+else
+  echo "No CodeQL SARIF files found, creating placeholder"
+  create_placeholder_sarif
+fi

.github/workflows/scripts/process-codeql-results.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Create comprehensive report index file
+echo "# DevSecOps Scan Reports" > ./docs/reports/README.md
+echo "Generated on $(date)" >> ./docs/reports/README.md
+echo "" >> ./docs/reports/README.md
+echo "## Available Reports" >> ./docs/reports/README.md
+
+# Process all artifacts and copy to docs/reports
+for artifact_dir in ./artifacts/*; do
+  if [ -d "$artifact_dir" ]; then
+    artifact_name=$(basename "$artifact_dir")
+    echo "Processing artifact: $artifact_name"
+    
+    # Copy all files from the artifact directory to docs/reports
+    cp -v $artifact_dir/* ./docs/reports/ 2>/dev/null || echo "No files to copy from $artifact_name"
+    
+    # Add entry to the report index
+    echo "- **$artifact_name**" >> ./docs/reports/README.md
+    for file in $artifact_dir/*; do
+      if [ -f "$file" ]; then
+        filename=$(basename "$file")
+        echo "  - [$filename](./$filename)" >> ./docs/reports/README.md
+      fi
+    done
+  fi
+done
+
+# Check if any reports were saved
+echo "Saved reports in docs/reports directory:"
+ls -la ./docs/reports/

.github/workflows/scripts/save-reports.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Check if docker-compose is available
+if ! command -v docker-compose &> /dev/null && ! docker compose version &> /dev/null; then
+  echo "Installing Docker Compose plugin"
+  # Install Docker Compose V2
+  DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
+  mkdir -p $DOCKER_CONFIG/cli-plugins
+  curl -SL https://github.com/docker/compose/releases/download/v2.23.0/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
+  chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
+fi
+
+# Verify Docker and Docker Compose are installed
+echo "Docker version:"
+docker --version
+echo "Docker Compose version:"
+docker compose version || docker-compose --version || echo "Docker Compose not installed properly"